2024-02-05 14:58:28

by Théo Lebrun

[permalink] [raw]
Subject: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
controller. Neither embed the other; this lead to memory corruption.

On a given platform (Mobileye EyeQ5) the memory corruption is hidden
inside cqspi->f_pdata. Also, this uninitialised memory is used as a
mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().

Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
Signed-off-by: Théo Lebrun <[email protected]>
---
drivers/spi/spi-cadence-quadspi.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index 720b28d2980c..1a27987638f0 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1930,10 +1930,9 @@ static void cqspi_remove(struct platform_device *pdev)
static int cqspi_runtime_suspend(struct device *dev)
{
struct cqspi_st *cqspi = dev_get_drvdata(dev);
- struct spi_controller *host = dev_get_drvdata(dev);
int ret;

- ret = spi_controller_suspend(host);
+ ret = spi_controller_suspend(cqspi->host);
cqspi_controller_enable(cqspi, 0);

clk_disable_unprepare(cqspi->clk);
@@ -1944,7 +1943,6 @@ static int cqspi_runtime_suspend(struct device *dev)
static int cqspi_runtime_resume(struct device *dev)
{
struct cqspi_st *cqspi = dev_get_drvdata(dev);
- struct spi_controller *host = dev_get_drvdata(dev);

clk_prepare_enable(cqspi->clk);
cqspi_wait_idle(cqspi);
@@ -1953,7 +1951,7 @@ static int cqspi_runtime_resume(struct device *dev)
cqspi->current_cs = -1;
cqspi->sclk = 0;

- return spi_controller_resume(host);
+ return spi_controller_resume(cqspi->host);
}

static DEFINE_RUNTIME_DEV_PM_OPS(cqspi_dev_pm_ops, cqspi_runtime_suspend,

--
2.43.0



2024-02-05 15:40:58

by Mark Brown

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

On Mon, Feb 05, 2024 at 03:57:30PM +0100, Th?o Lebrun wrote:
> dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
> controller. Neither embed the other; this lead to memory corruption.
>
> On a given platform (Mobileye EyeQ5) the memory corruption is hidden
> inside cqspi->f_pdata. Also, this uninitialised memory is used as a
> mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().

Please place fixes at the start of serieses so that they don't end up
with spurious dependencies on other changes and can more easily be
applied as fixes.


Attachments:
(No filename) (577.00 B)
signature.asc (499.00 B)
Download all attachments

2024-02-07 08:39:20

by Dhruva Gole

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

Hi Mark,

On Feb 05, 2024 at 15:12:10 +0000, Mark Brown wrote:
> On Mon, Feb 05, 2024 at 03:57:30PM +0100, Th?o Lebrun wrote:
> > dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
> > controller. Neither embed the other; this lead to memory corruption.
> >
> > On a given platform (Mobileye EyeQ5) the memory corruption is hidden
> > inside cqspi->f_pdata. Also, this uninitialised memory is used as a
> > mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
>
> Please place fixes at the start of serieses so that they don't end up
> with spurious dependencies on other changes and can more easily be
> applied as fixes.

Didn't really understand the comment here, aren't the 1,2 and 3 patches
fixes and the last one the non-fix? Thus fixes are indeed placed at
start of this series right?

Can you help understand with some example series?

--
Best regards,
Dhruva Gole <[email protected]>

2024-02-07 08:43:19

by Dhruva Gole

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

On Feb 05, 2024 at 15:57:30 +0100, Th?o Lebrun wrote:
> dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
> controller. Neither embed the other; this lead to memory corruption.
>
> On a given platform (Mobileye EyeQ5) the memory corruption is hidden
> inside cqspi->f_pdata. Also, this uninitialised memory is used as a
> mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
>
> Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
> Signed-off-by: Th?o Lebrun <[email protected]>
> ---
> drivers/spi/spi-cadence-quadspi.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
> index 720b28d2980c..1a27987638f0 100644
> --- a/drivers/spi/spi-cadence-quadspi.c
> +++ b/drivers/spi/spi-cadence-quadspi.c
> @@ -1930,10 +1930,9 @@ static void cqspi_remove(struct platform_device *pdev)
> static int cqspi_runtime_suspend(struct device *dev)
> {
> struct cqspi_st *cqspi = dev_get_drvdata(dev);
> - struct spi_controller *host = dev_get_drvdata(dev);

Or you could do:
+ struct spi_controller *host = cqspi->host;

> int ret;
>
> - ret = spi_controller_suspend(host);
> + ret = spi_controller_suspend(cqspi->host);

And avoid changing these?

> cqspi_controller_enable(cqspi, 0);
>
> clk_disable_unprepare(cqspi->clk);
> @@ -1944,7 +1943,6 @@ static int cqspi_runtime_suspend(struct device *dev)
> static int cqspi_runtime_resume(struct device *dev)
> {
> struct cqspi_st *cqspi = dev_get_drvdata(dev);
> - struct spi_controller *host = dev_get_drvdata(dev);
>
> clk_prepare_enable(cqspi->clk);
> cqspi_wait_idle(cqspi);
> @@ -1953,7 +1951,7 @@ static int cqspi_runtime_resume(struct device *dev)
> cqspi->current_cs = -1;
> cqspi->sclk = 0;
>
> - return spi_controller_resume(host);
> + return spi_controller_resume(cqspi->host);

ditto.

Thanks,
Dhruva Gole <[email protected]>

> }
>
> static DEFINE_RUNTIME_DEV_PM_OPS(cqspi_dev_pm_ops, cqspi_runtime_suspend,
>
> --
> 2.43.0
>
>


2024-02-07 09:29:22

by Théo Lebrun

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

Hello,

On Wed Feb 7, 2024 at 9:42 AM CET, Dhruva Gole wrote:
> On Feb 05, 2024 at 15:57:30 +0100, Théo Lebrun wrote:
> > dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
> > controller. Neither embed the other; this lead to memory corruption.
> >
> > On a given platform (Mobileye EyeQ5) the memory corruption is hidden
> > inside cqspi->f_pdata. Also, this uninitialised memory is used as a
> > mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
> >
> > Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
> > Signed-off-by: Théo Lebrun <[email protected]>
> > ---
> > drivers/spi/spi-cadence-quadspi.c | 6 ++----
> > 1 file changed, 2 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
> > index 720b28d2980c..1a27987638f0 100644
> > --- a/drivers/spi/spi-cadence-quadspi.c
> > +++ b/drivers/spi/spi-cadence-quadspi.c
> > @@ -1930,10 +1930,9 @@ static void cqspi_remove(struct platform_device *pdev)
> > static int cqspi_runtime_suspend(struct device *dev)
> > {
> > struct cqspi_st *cqspi = dev_get_drvdata(dev);
> > - struct spi_controller *host = dev_get_drvdata(dev);
>
> Or you could do:
> + struct spi_controller *host = cqspi->host;

Indeed. I preferred minimizing line count as I didn't see a benefit to
introducing a new variable. It goes away new patch anyway. If you
prefer it this way tell me and I'll fix it for next revision.

Thanks Dhruva,

--
Théo Lebrun, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

2024-02-07 09:51:38

by Mark Brown

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

On Wed, Feb 07, 2024 at 02:09:02PM +0530, Dhruva Gole wrote:
> On Feb 05, 2024 at 15:12:10 +0000, Mark Brown wrote:

> > Please place fixes at the start of serieses so that they don't end up
> > with spurious dependencies on other changes and can more easily be
> > applied as fixes.

> Didn't really understand the comment here, aren't the 1,2 and 3 patches
> fixes and the last one the non-fix? Thus fixes are indeed placed at
> start of this series right?

Patch 1 is a rename, this is obviously cosmetic and not a bug fix.


Attachments:
(No filename) (539.00 B)
signature.asc (499.00 B)
Download all attachments

2024-02-07 10:12:17

by Dhruva Gole

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

On Feb 07, 2024 at 10:28:59 +0100, Th?o Lebrun wrote:
> Hello,
>
> On Wed Feb 7, 2024 at 9:42 AM CET, Dhruva Gole wrote:
> > On Feb 05, 2024 at 15:57:30 +0100, Th?o Lebrun wrote:
> > > dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
> > > controller. Neither embed the other; this lead to memory corruption.
> > >
> > > On a given platform (Mobileye EyeQ5) the memory corruption is hidden
> > > inside cqspi->f_pdata. Also, this uninitialised memory is used as a
> > > mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
> > >
> > > Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
> > > Signed-off-by: Th?o Lebrun <[email protected]>
> > > ---
> > > drivers/spi/spi-cadence-quadspi.c | 6 ++----
> > > 1 file changed, 2 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
> > > index 720b28d2980c..1a27987638f0 100644
> > > --- a/drivers/spi/spi-cadence-quadspi.c
> > > +++ b/drivers/spi/spi-cadence-quadspi.c
> > > @@ -1930,10 +1930,9 @@ static void cqspi_remove(struct platform_device *pdev)
> > > static int cqspi_runtime_suspend(struct device *dev)
> > > {
> > > struct cqspi_st *cqspi = dev_get_drvdata(dev);
> > > - struct spi_controller *host = dev_get_drvdata(dev);
> >
> > Or you could do:
> > + struct spi_controller *host = cqspi->host;
>
> Indeed. I preferred minimizing line count as I didn't see a benefit to
> introducing a new variable. It goes away new patch anyway. If you
> prefer it this way tell me and I'll fix it for next revision.

I mean since you're going to have to respin then do make this change, it
will further minimise the number of lines of change right?

It goes away in last patch but if atall in some older kernel only
suspend resume support is there then only this will get picked so it's
still not useless code.


--
Best regards,
Dhruva Gole <[email protected]>

2024-02-07 10:14:42

by Dhruva Gole

[permalink] [raw]
Subject: Re: [PATCH v2 2/4] spi: cadence-qspi: fix pointer reference in runtime PM hooks

Hey,

On Feb 07, 2024 at 09:50:16 +0000, Mark Brown wrote:
> On Wed, Feb 07, 2024 at 02:09:02PM +0530, Dhruva Gole wrote:
> > On Feb 05, 2024 at 15:12:10 +0000, Mark Brown wrote:
>
> > > Please place fixes at the start of serieses so that they don't end up
> > > with spurious dependencies on other changes and can more easily be
> > > applied as fixes.
>
> > Didn't really understand the comment here, aren't the 1,2 and 3 patches
> > fixes and the last one the non-fix? Thus fixes are indeed placed at
> > start of this series right?
>
> Patch 1 is a rename, this is obviously cosmetic and not a bug fix.


Well, Theo, seems like you better fix the first patch, then reorder and
send a v3 :)


--
Best regards,
Dhruva Gole <[email protected]>